1. September 27, 2013 Deborah C. Hiser Julianne P. Story
HIPAA IN THE WORKPLACE
September 27, 2013
Deborah C. Hiser
Julianne P. Story

2. Agenda HIPPA/HITECH overview. Employee conduct posing risk.
Social media (photography, posting, blogging).
Snooping.
Lost laptops.
Communicating with patients ( , texting).
Best practices to minimize risk.
Penalties.

3. HIPAA/HITECH Overview: How are Things Different?
HITECH Omnibus Final Rule Changes:
Business Associate Requirements
Limits on Fundraising and Marketing
Sale of PHI
Expanded Patient Rights (NPP, Restrictions, Access, Gina)
Breach Notification
Penalties

4. BIG Changes for Business Associates and Subcontractors
Chain of Trust Concept
A subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of the workforce of such business associate
Covered Entity
*First Step K
Business Associate
*SUB BA
Contract
Lets start with what I consider to be one of the biggest changes to the HIPAA regulations since they were first published.
Taking a look at this chart. HIPPAA has always required that a CE enter into a BA Agreement with vendors that provide services, use, or disclose PHI on their behalf. What is new under the MegaRule, is that Business Associates must now enter into SUB BA Agreements with their vendors.
This creates an automatic “chain of trust” following the use and disclosure of PHI. Each entity in the chain is required by regulation and by contract to protect the PHI and administer it consistently with the obligations of the Covered Entity at the top of the chain.
What is also important, is that this is a “chain of trust with teeth.” Each entity in this chain will be subject to Business Associate Contractual obligations, and therefore subject to both civil monetary penalties and contractual remedies for violations which is an area I really want to focus on.
Sub-BA
* Sub-Enters into K with Sub-SUB BA

5. BIG Changes for Business Associates and Subcontractors
Subcontractors Must
Comply with the technical, administrative, and physical safeguard requirements under the Security Rule and are liable for Security Rule violations
Comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule and criminal and civil liabilities attach for violations
Not a completely new concept for Texas BUT……
Liability flows to all subcontractors
CE under an obligation to get written assurances from their BAs
FIRST GO THROUGH SLIDE INFO
So, the new rule does a couple of things in terms of liability:
Under the old rule, Subcontractors were only regulated second-hand by contract. Subcontractors are now full-fledged Business Associates- as are their subcontractors in turn.
Current Business Associates are directly exposed to regulatory penalties and are directly liable under HIPAA for things like:
Impermissible uses and disclosures
For a failure to provide breach notification to the CE
For a failure to provide access to a copy of EPHI either to covered entity, individual or designee (whichever is spec ified in BAA)
For a failure to disclose PHI where required by the Secretary to investigate
Failure to provide an accounting
Failure to comply with requirements of Security Rule
Everything else is based on contract!!
Covered entities and business associates re-assess their legal risks and compliance strategies. They should also review and revise their subcontracting strategies. While ideally existing Business Associates should have been staying abreast the developing law, the reality is that many probably have not, and will need to be advised and supported in understanding their new obligations and exposures.

6. Expanded Rights: Notice of Privacy Practices
NPP to Include a Statement That:
Uses and disclosure of PHI for marketing requires authorization
Disclosures that constitute a sale of PHI require authorization
If CE intends to contact an individual to raise funds, patient has the right to opt out
If health plan uses PHI for underwriting, CE is prohibited from using genetic information for those purposes
CE has to agree to certain restrictions if patient has paid in full, out-of-pocket
CE must notify affected patients following a breach (check state laws of breach!)
The regulations require modifications and redistribution of the NPP
In terms of updating, a CE needs to update their NPP to include a statement that
1. Disclosure of psychotherapy notes require authorization:

7. Expanded Rights: Requests for Restriction
Change of Law
CE must agree to a requested disclosure restriction if:
Disclosure is for payment or health care operations purposes and is not otherwise required by law; and
The PHI pertains solely to a health care item or service for individual, or person other than the health plan on his/her behalf, has paid covered entity in full.
Action Item
Update policies and procedures
Update BA Agreements
Normally, A CE does not have to agree if an individual requests restrictions related to use or disclosure of PHI. However, as a result of the Mega Rule, a CE must now agree to a request to restrict the disclosure of PHI if the disclosure is for payment or health care operations and the PHI relates to a health care item or service that the individual has paid in full.
Health care providers do not need to create a separate medical record or otherwise segregate PHI subject to a restricted health care item or service. However, a CE does need somehow employ some method to flag or make notation in the record of PHI that has been restricted. It is important to do this so that PHI is not inadvertently accessible to a health plan during otherwise normal payment or health care operations – for example during audits by a health plan.
There were also quite a few comments about Medicare??? The comments make clear that If a provider is required by State or other law to submit a claim to a health plan for covered service, and there is no exception or procedure for individuals wishing to pay out of pocket, then the disclosure is required by law and the CE is not required to comply with the restriction. With respect to Medicare, it is our understanding that when a physician furnishes a service that is covered by Medicare, then it is subjection to the mandatory claim submission which requires that if a physician or supplier charges or attempts to charge a beneficiary any remuneration for a service that is covered by Medicare, then the physician must submit claim to Medicare. However, there is an exception to this rule where the beneficiary refuses, of his own free will, to authorize submission of a bill to Medicare. In such cases, a provider is not required to submit a claim to Medicare for the covered services and may accept out of pocket payment.

8. Expanded Rights: Access
Change of Law
If CE uses or maintains an EHR with PHI of an individual, individual shall have the right to obtain from CE a copy of such information in electronic format and individual may direct CE to transmit such copy directly to the individual’s designee, provided that any choice is clear, conspicuous, and specific.
TX Law: H.B. 300 has a faster turnaround time!
Action Items
Update policies and procedures
Update patient forms
Update BA
If an individual requests PHI that is maintained electronically in a designated record set, the final rule provides that the CE must provide the individual with electronic access in a form and format requested by the individual, if the information is readily producible in such format. If the CE cannot provide that format, then the CE and the individual can agree on another electronic form. Texas HB 300 also provides similar provisions.
There are A couple of things to consider:
First, If the designated record set includes electronic links or images or other data, the images or other data that is linked to the designated record set must also be included in the electronic copy provided to the individual. The electronic copy must contain all PHI electronically maintained in the designated record set AT THE TIME THE REQUEST IS FULFILLED.
Second, a CE is not required to scan paper documents to provide electronic copies of records maintained in hard copy.
There were also a lot of questions about portable devices??? The idea is that a patient comes to office, requests their record electronically and provides a flash drive or CD. The concern here is that the patient’s portable device can introduce viruses or other security concerns for the CE. As we all know, a CE is under an obligation to maintain the security and integrity of PHI under the Security Rule.
SO WHAT ARE YOU TO DO?
The Department acknowledges that A CE is not required to accept the external media if it determines there is an unacceptable level of risk. (so everyone should be documenting a risk assessment at this point).
It is important to note that if a CE decides the risk is too high, a CE can’t turn around and then require individuals to purchase portable medical device from the CE if the individual does not wish to. However, The individual may opt to receive an alternative form of the electronic copy, such as through . In regarding the comments, I found it interesting that the Department suggested informing patient that there is a riski to unencrypted .

9. Expanded Rights: Genetic Information
GINA Provisions:
Requires “Genetic Information” be treated as PHI
Prohibits Health Plans from using/disclosing genetic information for underwriting purposes
Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information

10. Marketing Change In Law
Authorization required for all treatment and health care operation communications where CE receives financial remuneration for making communications
Exceptions (refill reminders, treatment, case management)
Action Items
Update policies and procedures
Don’t forget to incorporate state law, if any
Update authorization form
The mega rule significantly modified the proposed rules’ approach to marketing. Under the new rule, marketing includes communications about a product or service that encourages recipients to purchase or use the product or service. There are exceptions. For example, refill reminders so long as the financial remuneration is for the cost of the communication are ok. In addition, treatment and certain healthcare operations are not considered marketing if there is NO financial remuneration.
For me, What is really significant under the new rule is that authorization is required for all treatment and healthcare operations where the CE receives financial remuneration. For those of you who find this terribly exciting and have been following all of the changes to HIPAA, this change is directly related to comments and responses where there was significant confusion as to what constitutes treatment is or what constitutes health care operation.
For example, the NPRM indicated that population based activities did not constitute treatment and were considered a health care operation. Rather than having a grey area, The Department did away with that discussion by just saying that if a CE receives financial remuneration, specific authorization is required.
“Financial remuneration” means direct and indirect payment from or on behalf a third party whose product or service is being described. Two things are noteworthy here. First, the term financial remuneration does not include non-financial benefits, such as in-kind benefits provided to a covered entity. In addition, financial remuneration only includes payments made in exchange for making the communication. For example, if a third party provides financial remuneration to a CE to implement a disease management program, the CE does not need authorization as long as the communication are about the CE’s program itself. In this example, the communication is only encouraging individuals to participate in the CE disease management program and is not encouraging individuals to use or purchase a third party’s product or service.
Texas Considerations: H.B 300 and Mega rule define “marketing” the same; (2) Exceptions the same with respect to treatment and case management (3) Refill reminders are a bit different and require analysis;

11. Prohibition on Sale Of PHI
Update
PHI cannot be sold without patient authorization
Many exceptions-
Public health
Research (limited to cost-based fee)
Treatment/Payment
Sale, transfer, merger/consolidation
CEs/BAs need to evaluate all situation where PHI is sold
In addition to the Marketing provisions, HITECH Act prohibits the sale of PHI with certain exceptions
A covered entity or business associate may not disclose PHI in exchange for in kind benefits, unless the disclosure falls within an exception. Exceptions to the authorization requirement: include GO THROUGH LIST
In terms of definitions, it is noteworthy that the term “sale of PHI” includes disclosures of PHI where the CE or BA receives direct or indirect remuneration from the recipient in exchange for the PHI. This is different than marketing. Remember that marketing refers to financial remuneration. So there is a definite distinction.

12. BREACH
The interim final regulation clarified that statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.”
CEs have been reporting breaches under this standard for two years
DEBBIE

13. Two significant changes:
BREACH The Big News
Two significant changes:
Modified the “presumption” for breach reporting
Notification is required to affected individuals unless CE/BA- “demonstrate there is a low probability that the PHI has been compromised based on a risk assessment.”
DEBBIE
Impermissible use or disclose = breach unless low probability that compromised
Provider to provider = low probability that data has been compromise.

14. BREACH Risk Assessment
CE/BA must perform a “risk assessment” to determine if there is a low probability of a “compromise” of the PHI.
If risk assessment reveals a low probability of compromise, notification is not required.
CE/BA can provide notice without a risk assessment.
DEBBIE

15. BREACH: Elements of Risk Assessment
The nature and extent of PHI involved, including types of identifiers and likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated—Can it be used, for example, for ID theft, Medical ID Fraud, hackers to destroy integrity, can forensics say it was accessed/used?
DEBBIE
Financial sensitive – credit card #, SS#, or other information that increases the risk of identity theft
DHS indicated that it will provide additional guidance

16. Employee Conduct Posing Risk: Social Media
Many benefits:
Easy & effective mode of communication
Marketing opportunity
Bolster professional relationships
Downside: Immediate and broad dissemination of information. Disgruntled employees use social media to criticize employers/patients
Deliberate vs. inadvertent disclosure

17. Employee Conduct Posing Risk: Social Media – Examples:
Innovis Health – use of Facebook to communicate unauthorized shift change updates to co-workers;
Westerly Hospital – Rhode Island physician posted information on personal Facebook page regarding trauma patient.
Byrnes v. Johnson County Community College – nursing student posted photo of placenta on FB.
Nurse fired for posting on personal FB page she treated a “cop killer” after many news accounts named the accused shooter and the hospital at which he was treated.

18. Employee Conduct Posing Risk: Snooping
Kaiser Permanente’s Bellflower Hospital – (2009) fined $250,000 for failing to prevent employees from accessing Octomom’s records.
Cedars Sinai Medical Center – (2013) 6 employees terminated after accessing records of Kardashian baby.
UCLA Health System settlement with OCR (2011) after employees snooped into celebrity medical records.
Monetary payment of $865,000
Implement new security privacy rules
Improve employee training
Discipline employees for violations
Designate independent compliance monitor

19. Employee Conduct Posing Risk: Camera Phones
Photography is easy.
Photos can be easily shared, including on social media.
Once shared cannot be deleted (breach can be ongoing)
Can be done surreptitiously.
Photos can be PHI (even without patient name).
Examples:
Rady Children’s Hospital – San Diego (2006) – child pornography
Mayo Clinic’s Phoenix Hospital – inappropriate photograph of a patient under anesthesia.
University of New Mexico Hospital – photos of ER patient’s injuries posted on MySpace.
Martin Medical Center in Florida – photos of shark attack victim shared with friends (2010)

20. National Labor Relations Act
Employees have the right to self-organization, to form, join or assist labor unions, to bargain collectively, and to engage in “concerted activities” for mutual aid or protection (Section VII).
It shall be an unfair labor practice for an employer to interfere with, restrain or coerce employees in the exercise of the rights guaranteed by Section VII.
NLRB standard: Whether the rule would unreasonably tend to chill employees in the exercise of their Section VII rights.

21. NLRB: Social Media Can Be “Concerted Activity”
Employees have a legal right under the NLRA to discuss their working conditions on social media websites.
Concerted activity v. individual employee rights.
Unique tension in Healthcare environment.

22. Employee Conduct: Communications With Patients
and Texting
April 2012 survey: 73% of physicians text other physicians at work.
Do texts constitute “medical record”.
Security-Privacy/preservation concerns.
Check state law

23. Employee Conduct: Lost or Stolen Laptop
ANA
In a March 2012 interview with Leon Rodriguez, he was asked to provide some guidance on some of the most common compliance issues that have been identified in the first 20 initial audits. He declined to provide any guidance as to the initial 20 audits and instead referenced what is going on in terms of breach notifications.
As you are all aware, the HITECH act requires HIPAA covered entities to notify affected individuals, the Secretary, and in some cases the media following the discovery of a breach of UNSECURED PROTECTED HEALTH INFORMATION
2010 was the first full calendar year for reporting
THEFT was the #1 common reported case of large breaches in 2009 and 2010
The majority of theft incidents involve the THEFT OF PAPER RECORDS or ELECTRONIC MEDIA—ESPECIALLY LAPTOP
It will be interesting to see if the audits fall in line with what we are seeing with breach notification and enforcement.

24. First HIPAA breach settlement involving less than 500 patients
Hospice of North Idaho
$50,000
Stolen laptop with ePHI of 441 patients
Failed to include laptops and other mobile devices in security risk assessment
January 2, 2013
The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis. 
A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. 

25. Best Practices: Laptops
No PHI on personal laptops
All PHI on laptops is encrypted
If company issued laptops are removed, check in-check out system
All laptops have kill switch
Same policies re: mobile phones & iPads/Notebooks

26. Best Practices: Policies
Confidentiality
Emphasize policy
Identify Privacy Officer
Security
Encryption
Encourage reporting of violations
Address texting
Address photography

27. Best Practices: Policies
Employee Discipline
Clearly specific prohibited conduct
Clearly specify consequences of violation
Follow through
Social Media
Clearly describe protection for PHI
Prohibit posting or discussing patient information on social media (even if name is not used)
Use specific examples
Consider banning access to social media on work computers
Cannot prohibit use of logo
Be mindful of NLRA protections
Computer use

28. Employee Training When: What: New hires Periodic/regular update
Follow-up training
Check state law
What:
Confidentiality obligations
Define PHI
Social media/computer use
Discipline – set forth disciplinary consequences for violations
Allow for discretion in enforcement
Enforce consistently

29. Audits: What to Expect
When a covered entity is selected for an audit, OCR will notify the covered entity in writing.
OCR notifies selected covered entities between 30 and 90 days prior to the anticipated onsite visit. According to the OCR, Onsite visits should take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. However, according to a KPMG representative, onsite visits typicall ran up to 7 days on the field.
After fieldwork is completed, the auditor provided the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR.

30. Audits: What to Expect Lessons Learned From Piedmont
Establishing and terminating user’s access to systems housing ePHI
Emergency access to electronic information systems
Inactive computer sessions (periods of inactivity)
Recording and examining activity in information systems that contain or use ePHI
Risk assessments and analysis of relevant information that house or process ePHI data.
Employee sanction policies
Incident reports
Audit logs and access reports
Listing of all network perimeter devices, i.e. firewalls and routers
In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.
The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided. Over 40 questions or requests for documentation were asked in the Piedmont case.
The types of information requested during the Piedmont audit are certainly fair game in the KPMG audits.
When preparing for an audit, use Piedmont as base for what to expect and designate specific individuals within you entity to take the lead on these issues.
On June 26, HHS' Office for Civil Rights released the protocol it is using to audit compliance with various requirements under HIPAA.
Each module includes a number of specific performance measures, which cite specific sections of the HIPAA rules, against which KPMG assesses the covered entity.
The Privacy Rule module includes 78 performance measures;
the Security Rule module includes 77 performance measures; and the Breach Notification module includes 10 performance measures, for a total of 165 performance measures.
Each performance measure includes a "key activity" and an "audit procedure" that describes the actions the KPMG auditors take in reviewing compliance with the measure.
Sample Performance Measure: "§ (a)(1) -- A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies and is limited to the relevant requirements of such law. § (a)(2) -- A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law."
Key Activity: Uses and Disclosures Required by Law
Audit Procedure: Inquire of management as to whether the requirements to use or disclose PHI required by law are met. Obtain and review Notice of Privacy Practices and evaluate the content in relation to the specified criteria to determine if the entity identifies the disclosures required by law. Obtain and review policies and procedures and evaluate the content in relation to the specified criteria for uses and disclosures required by law.

31. Audits: What to Expect
(continued)
10. Remote access activity (network infrastructure platform, access servers, authentication and encryption software)
11. Password and server configurations
12. Antivirus software
13. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas
Notice that the information requested is specific such as in #11 which requires disclosure of password and server configurations
Reaction to the audit protocol has been mixed.
Some have criticized the protocol as providing significant details related to certain requirements and not others. Others have criticized it as lacking specificity and simply parroting back the HIPAA rules with little additional information.
For example, some have criticized the protocol for calling for determining if the covered entity risk assessment has been conducted on a "periodic basis" without defining what periodic basis means.
In response to these criticisms, OCR officials said that while they understand stakeholders' desire for specificity, the HIPAA rules were not designed as a set of one-size-fits-all requirements. OCR also has stressed that it is not attempting to set new standards through the protocol.
Others, however, suggest that the protocol can help serve as a useful rubric for assessing the status of a covered entities' HIPAA compliance efforts. For example, John Halamka -- co-chair of the Health IT Standards Committee, an advisory group to the Office of the National Coordinator for Health IT, and CIO at Beth Israel Deaconess Medical Center -- has recommended supplementing the audit protocol with the HIPAA implementation guides developed by the National Institutes for Standards and Technology, which are designed to aid covered entities in understanding the security concepts included in the HIPAA Security Rule.

32. Audits: What to Expect Personal Interviews with CE leadership
(continued)
Site Visits
Personal Interviews with CE leadership
Up Close and Personal Examination
Policy Consistency
Observation
DEBBIE
Step 3 consists of Site Visits.
Site visits are conducted by audit teams of 3 to 5 auditors (or 2 to 3 auditors for small, noncomplex practices) with expertise in compliance auditing, HIPAA privacy and security, and IT auditing.
The visits will include interviews with leadership
(e.g., chief information officer, legal counsel, health information management director);
examination of physical features,
operations, and adherence to policies; and
observation of compliance with HIPAA regulatory requirements.
Security Module
Sample Performance Measure: "§ (a)(1) -- Security Management Process § (a)(1)(ii)(a) -- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity."
Key Activity: Develop and Deploy the Information System Activity Review Process
Audit Procedure: Inquire of management as to whether formal or informal policy and procedures exist to review information system activities, such as audit logs, access reports and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices. Determine if the covered entity policy and procedures have been approved and updated on a periodic basis.

33. Audits: What to Expect Auditor Reports
Auditors will develop a draft report
Final report submitted to OCR
OCR may initiate compliance review for serious issues
If they do, you will be subject to a CAP
Auditor Reports
DEBBIE
After the site visit, the auditors and the CE sit down and talk about the findings. A CE may provide further information to mitigate a finding or clarify something it thinks was misinterpreted. IT IS IMPORTANT TO NOTE THAT ONCE THIS DISCUSSION PERIOD ENDS, TIME IS UP FRO TRYING TO PROVE COMPLICANE. There were instances were covered entities contacted KPMG 30 days of the field saying they corrected the whole process and requested that a particular finding be removed from the report. KPMG basically took the attitude of Sorry—we were there—we saw it-- too late.
The final report for each audit is required to include, at a minimum:
Identification and description of the audited entity (including full name, address, employer identification number, and contact person)
The methods used to conduct the audit
The defect or noncompliant status observed (including evidence)
A clear demonstration that each negative finding is a potential violation of the privacy or security rules, with citation
The reason that the condition exists, along with identification of supporting documentation used
The risk or noncompliant status resulting from the finding
Recommendations for addressing each finding
Entity corrective actions taken, if any
Acknowledgment of any best practices or successes
An overall conclusion paragraph

34. Penalties
HIPAA Civil
Civil - $100 per violation to maximum of $1.5M per year.
State Statutory
State common law tort action
Invasion of privacy
Intentional/negligent infliction of emotional distress

35. New Civil Monetary Penalty System
Accidental
$100 each violation
Up to $25,000 for identical violations, per year
Not Willful Neglect, but Not Accidental
$1,000 each violation
Up to $100,000 for identical violations, per year
Willful Neglect, Not Corrected
$50,000 each violation
Up to $1.5 million per year

36. And…Don’t forget about Criminal Penalties
Up to $250,000 fine
Imprisonment up to 10 years
“Knowingly”
$50,000
Imprisonment up to one year
False pretenses
Up to $100,000 fine
Up to five years in prison
Intent to sell, transfer, or use for commercial advantage, or for personal gain or malicious harm
$250,000
Imprisonment for up to ten years

37. Recent OCR Enforcement Cases
Mass. Gen. Hosp. – Employee left 192 patient files containing HIV/AIDs PHI on subway that were never recorded. $ penalty and 3 year CAP Phoenix Cardiac Surgery – failed to secure Patient Calendar Appointment App. $ , 3 year CAP

38. Recent OCR Enforcement Cases
WellPoint Inc. Managed Care Company
Important message for CEs to take caution when implementing changes to information systems, especially when changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.
HHS began investigation following breach report from WellPoint as required by HITECH indicating security weaknesses in an online application database that left ePHI of 612,402 individuals accessible to unauthorized individuals over the Internet.
$1.7 million penalty
OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.

39. WellPoint (continued)
Whether systems upgrades are conducted by covered entities or their BA’s, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.

40. Recent OCR Enforcement Cases
Affinity Health Plan, Inc. - settled potential violations of HIPAA Privacy and Security Rules for $1,215,780.
Affinity impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agent without erasing data contained on copier hard drives. 
Affinity failed to incorporate ePHI stored in copier’s hard drives in its analysis of risks and vulnerabilities under Security Rule, and failed to implement policies and procedures when returning hard drives to leasing agents.

41. 2012 Ponemon Institute Study
Healthcare industry loses $7 billion a year due to HIPAA data breaches
Average economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 2010
94% of CEs have had at least one data breach in the last two years
Average number of lost or stolen records per breach is 2,769
Top 3  causes of data breaches:
Lost or stolen computing device (46%)
Employee mistakes or unintentional actions (42%)
Third party snafus (42%)
18% of CEs say medical identity theft was a result of a data breach
Annual security risk assessments are done by less than half (48%) of CEs
48% of data breaches in 2012 involved medical files
Primary activity by CEs to comply with HIPAA training is awareness training of all staff (56%), followed by vetting and monitoring of third parties, including business associates (49%)

42. Questions?